Transcription

2 Mobile Challenges: An Overview Data drives business today, as IT managers and security executives face enormous pressure to use data effectively and securely. They require quick, agile transmission of data via a wide number of communication channels and devices, with smartphones and tablets in particular being an increasingly prevalent data consumption device. The corporate mobile landscape is increasingly crowded by devices, business applications, and technologies, including an increasing number of business applications ready for (or designed to be used with) mobile devices such as laptops, netbooks, smartphones, and tablets. Furthermore, organizations are adopting bring your own device (BYOD) initiatives that allow users to incorporate their own mobile devices into daily business tasks, from to the use of all business applications available within the organization. At the same time, freedom to access data through mobile devices involves serious risks and issues. One reason information is such an important asset for an organization is that it conceals intrinsic value. It needs to be managed securely to prevent/minimize internal and external threats that might expose this information to deliberate or non-deliberate disclosure, misuse, or damage. Threats include (but are not limited to) malware and spyware while in the past, malicious software predominantly affected personal computers, in recent years the mobile industry has seen an increase in the number of malware and spyware programs used to cause harm or to steal confidential information from users and companies; hacking by exploiting a system s/network s weaknesses, hackers can gain access to sensitive data in order to exploit, disclose, or harm information residing within the mobile infrastructure; data loss an increasing number of mobile users and organizations store sensitive information within their mobile devices information that can potentially be stolen or lost with the device; and jailbreaking (ios)/rooting (Android) many mobile users choose to modify the original operating system to expand the capabilities of ios and Android devices. However, such modifications make devices more vulnerable to external attacks and may expose information and passwords stored on these devices to hackers. 2

3 But these are not the only challenges. Mobile proliferation leads to a number of other risks: a focus on applications rather than on corporate strategy, hindering a complete corporate view of the deployment, maintenance, and security of a mobile platform corporate mobile silos with little or no interaction capabilities, preventing a centralized approach to the management of applications and devices painful scalability due to lack of a unified mobile strategy little to no mobile governance These challenges can make it difficult and sometimes impossible to secure all elements of the corporate mobile infrastructure. That said, it s imperative for organizations to find and maintain an optimal balance between data security and access to information, at all times. In other words, when deploying a corporate mobile strategy, organizations need to address mobile security strategy needs properly in order to ensure that all mobile security components work with and not against user access. Security managers need to approach the problem to find the level of acceptable risk for access to sensitive information through mobile devices, and an easier way to configure and control it in a single instance as much as possible. They also need to define the right policies and deploy the necessary solutions to configure responsibilities and define which level of risk can be taken and who is authorized to take it, if necessary. This is aimed at providing adaptive security measures that are transparent to the user without creating unnecessary limits, while establishing a risk schema that defines where and when a risk is acceptable and who is authorized to accept it. 3

4 Mobile Security from the Inside Out: Solving the Security Challenge Given that data is one of an organization s most important assets, it s vital to take mobile security into consideration at various levels: At the source: Source encompasses all components residing within the corporate firewall. Everything within the corporate network must be protected, which means implementing policies and strategies to grant, limit, or prohibit access to the corporate network. This includes the use of specific mobile virtual private network (VPN) tunnels or a secure mobile network operation center (NOC). During transmission: I.e., the transmission of information over a wireless network. Three elements are important at this stage: sending, reception, and transit through the wireless network. Securing transmission includes verification/authentication of the sender as well as the use of additional processes such as data encryption. At target (internal devices): The vast number and variety of devices, as well as new corporate patterns of adoption, make it essential for organizations to anticipate new risks, from exposure of sensitive data through theft or loss, to the potential threat of malware and spyware programs. Measures such as restricting access to the mobile device, or establishing policies to block or erase sensitive data need to be taken to ensure information security is improved. 4

5 Securing the Corporate Mobile Strategy Thus, securing the corporate mobile platform requires a rigorous evaluation not only of the entire corporate set of mobile applications, but also of the technical and human infrastructure. The BYOD Scenario Many IT managers are incorporating a BYOD approach in the workplace. This means that they need to implement security measures for different types of mobile devices for both the hardware and software. In particular, IT managers will need to secure different sets of mobile operating systems (OSs), such as SymbianOS, ios, Android, and BlackBerry, and address the challenges in establishing security measures for each of the mobile OSs that they have in place. This is made more difficult by the fact that some mobile OSs such as Android and ios were not designed for corporate environments. So, ensuring security for a multi-mobile device environment means: integrating all mobile devices within a single security infrastructure, making security measures as transparent as possible for the user, automating as many device security measures as possible, and creating a combination of written policies and technology enforcement measures, and ensuring end users are aware of them. These challenges can hardly be overcome without a comprehensive way of managing all mobile devices within a single strategy and/or application. This is where a corporate view comes in handy. Why a Corporate Solution? With data flowing wirelessly through a grid of mobile devices and business applications, both inside and outside the corporate firewall, it is important to diminish risk and improve the productivity of the mobile infrastructure. A corporate approach to managing the entire mobile infrastructure can provide many benefits: a centralized application to administer mobile security at all stages (source, transmission, and target) straightforward creation and monitoring of general mobile policies secure and controlled user devices automation of security tasks (automatic update installation, security patches, updated user profiles, etc.) 5

6 minimized user responsibility with respect to mobile security tasks balance between security and easy authentication of user access to the mobile platform potential integration with third-party security standards and solutions platform scalability/configuration to meet different needs and requirements proper training and security assessment for all involved users a set of self-service scenarios to help end users address problems quickly, with minimal support costs means for detecting jailbroken/rooted devices and denying network access to them meeting regulatory and data protection standards specific to industries and countries An enterprise mobility management (EMM) solution provides much of the functionality required to maintain the security of the mobile platform. As a middleware solution, it can serve as a centralized enabler or limiter of access to the mobile network, as well as manage mobile security by addressing the complete data cycle within the corporate mobile infrastructure. EMM solutions have the potential to leverage data security by reinforcing security controls within all corporate mobile devices; configuring access to mobile services and applications; enabling the setting and maintenance of mobile access policies; centralizing security management to respect a single source for security control, thereby facilitating the monitoring, configuration, policy enforcement, and maintenance of the infrastructure; providing a set of analytics tools integrated to the mobile infrastructure to allow administrators and key users to establish relevant security key performance indicators in order to identify key security issues in all stages of the mobile platform (from the device to the mobile server), as well as to establish usage profiles to identify potential threats, reinforce security policies, and monitor device usage, enrollment, etc.; and empowering end users with self-service. A corporate mobile approach needs to perform the following main tasks: authentications set and configure firewalls to prevent hacking and external attacks centralize management of security on mobile devices secure data in transit deploy anti-malware applications on mobile devices implement policies of use of mobile devices protect data at rest train for and promote risk awareness 6

8 Assess Your Level of Corporate Mobile Security Take the following self-assessment to help you evaluate your current mobile platform status. Answer Yes, No, or Partially, according to your organization s ability to address each of the following items. Once you re done, tally your score and consult the legend following the table for your results. Authentication Yes (5 points No (0 points Partially (3 points Our solutions provide centralized policy management and enforcement We authenticate users and devices We define power-on passwords for mobile devices Firewalls Security levels are easily defined and configured by the administrator We restrict types of traffic and origins Our detection systems can block external attacks Centralized security management We have centralized provisioning of settings and policies We lock mobile security settings on devices to prevent users from modifying them We deploy security and pattern file updates as well as software patch updates to mobile devices We install mobile security applications on devices Integrated analytics to monitor and analyze security performance Secure in-transit data We use virtual private network (VPN) technologies Secure socket layers (SSLs) are simple to implement Anti-malware applications We have implemented real-time scanning for malware over devices We scan for mobile threats and applications We update security apps regularly with minimum user or administrator intervention We have a jailbroken/rooted device detection service in place 8

9 Policies of use for mobile devices We have developed and enforce mobile security policies within all applicable areas We inventory all device types and models We protect or restrict data synced with mobile devices Protection of data at rest We have selected the necessary encryption to comply with policies We provide in-place encryption We protect and manage encryption keys We encrypt all data at rest Training and risk awareness We have established formal security training We have established simple and clear risk awareness policies We have established self-service scenarios for users Yes (5 points No (0 points Partially (3 points Fewer than 63 points: low security/high risk While some security measures may be deployed, major improvements should be made to the mobile platform. The security approach is reactive, and issues are addressed as they arise. Prevention is difficult, as is setting and executing proper security policies. Mobile security is mostly based on security imposed by devices with less corporate awareness. Lack of training and risk awareness on the part of users makes security administration costly and slow. Between 63 and 93 points: moderate security and risk The mobile platform has improved reliability but still needs to address issues that might represent a threat for data and systems in use by the corporate infrastructure. While there are some prevention measures in place, configuration of the platform may still be somewhat complicated and slow, addressing rather than preventing problems. Some security processes may be automated, which decreases pressure from mobile administrators with respect to some security tasks. More than 93 points: high security/low risk There is an existing infrastructure in place that enables mobile administrators to implement prevention measures by automating some security processes. Data security policies are well defined, and security controls are in place to protect data transmission and mobile devices. While there is always room for improvement, improvements are deployed as reinforcements rather than as immediate issue avoidance. Report sponsored by SAP 9

10 About Technology Evaluation Centers Technology Evaluation Centers (TEC) provides insight and expertise in offering impartial resources and services to minimize the costs, risks, and time associated with software selection. Over 3.5 million technology decision makers visit TEC s Web sites each month, to find information on hundreds of solutions, and to access articles, white papers, and podcasts. TEC s decision support system (DSS) and analyst data assist with the evaluation, comparison, and selection of enterprise solutions and services. TEC s offerings include in-depth research, detailed product information, and software selection services for any industry or company size. 10

Scalable, secure, and integrated device management for healthcare Data Sheet: Industry Perspectives Healthcare Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any

A SANS Analyst Survey Written by Joshua Wright Advisor: Chris Crowley December 2013 Sponsored by Trusted Computing Group 2013 SANS Institute Introduction It s not shocking to see media reports depicting

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology

Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology,

Kaspersky Security for Mobile See. Control. Protect. MOVING TARGETS Mobile devices play a key role in connectivity and productivity. But they also introduce new risks to the business: in the past 12 months

A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State

Say Yes to BOYD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices Introduction Bring Your Own Device (BYOD) and consumerization of IT are all phrases that serve to encompass

BEST PRACTICE GUIDE MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next CONTENTS 1. OPEN ALL HOURS...2 Page 2. MOBILE DEVICE MANAGEMENT

Back to the Future: Securing your Unwired Enterprise By Manoj Kumar Kunta, Global Practice Leader - Security Back to the Future: Securing your Unwired Enterprise The advent of smartphones and tablets has

Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out

Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

Deep Dive BYOD, COPE & MDM Deep Dive BYOD, COPE and COD After the usage of BYOD has steadily been increasing, the COPE strategy might be the alternative to combine the advantages of BYOD and COD. COD COD

Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential

The ForeScout Difference Mobile Device Management (MDM) can help IT security managers secure mobile and the sensitive corporate data that is frequently stored on such. However, ForeScout delivers a complete

White Paper What the ideal cloud-based web security service should provide A White Paper by Bloor Research Author : Fran Howarth Publish date : February 2010 The components required of an effective web

An Oracle White Paper April 2014 The Oracle Mobile Security Suite: Secure Adoption of BYOD Executive Overview BYOD (Bring Your Own Device) is the new mobile security imperative and every organization will

Smartphones and tablets are invading the workplace along with the security risks they bring with them. Every day these devices go unchecked by standard vulnerability management processes, even as malware

A Guide to MAM and Planning for BYOD Bring your own device (BYOD) can pose a couple different challenges, not only the issue of dealing with security threats, but also how to handle mobile applications.

TrendLabs Enterprises cite security as their number one concern with regard to consumerization. During the actual execution of a consumerization strategy, however, IT groups find that the increasing demand

WHITE PAPER This paper discusses how IT managers in government can address the challenges of the new Bring-Your-Own-Device (BYOD) environment as well as best practices for ensuring security and productivity.

ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

Cisco Mobile Collaboration Management Service Cisco Collaboration Services Business is increasingly taking place on both personal and company-provided smartphones and tablets. As a result, IT leaders are

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

(Plus 1 Fast Way to Find Them) Your business depends on intelligence. But can you count on your technology? You may not be in the intelligence technology business, but it s probably impossible to imagine

Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

A 3-STEP PLAN FOR MOBILE SECURITY A 3-STEP PLAN FOR MOBILE SECURITY 2 A complex problem that requires a holistic approach Mobility is here. Mobility is now. Mobility (along with cloud and social media)

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted

White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops

Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

1 THE TOP 8 MOBILE SECURITY RISKS How to Protect Your Organization Whitepaper 2 The Top 8 Mobile Security Risks: How to Protect Your Organization As enterprises mobilize business processes, more and more

WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM) CONTENT INTRODUCTION 2 SCOPE OF BEST PRACTICES 2 1. HAVE A POLICY THAT IS REALISTIC 3 2. TAKE STOCK USING A MULTIPLATFORM REPORTING AND INVENTORY TOOL...3

WHITE PAPER: DON T LOSE THE DATA: SIX WAYS YOU MAY BE LOSING........ MOBILE....... DATA......................... Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It Who should